We use AOSP branch 4.4.2. We see the problem on upgrade from JB to KK. If we do reset then all new /data/data/<app> are created with the KK label as expected.
Based on previous commit, I have to change the seinfo for the rule to work. -user=_app seinfo=platform name=com.cisco.vvm domain=vvm_app type=platform_app_data_file +user=_app seinfo=vvm_app name=com.cisco.vvm domain=vvm_app type=platform_app_data_file In this case, the mac_permissions.xml does have the seinfo set to vvm_app for that app. I¹m not sure that cause the confusion or not. I was confused why the seinfo=platform doesn¹t work. Thanks, Tai On 4/6/15, 8:41 AM, "Stephen Smalley" <[email protected]> wrote: >On 04/03/2015 05:02 PM, Tai Nguyen (tainguye) wrote: >> Do we have any restriction on using app_data_file domain for system_app? >> >> We made the following change, but the data directory still show >> system_app_data_file. >> >> - File mac_permissions.xml >> >> <signer signature="@PLATFORM" > >> <!-- CFG app --> >> <package name="cip.cfg"> >> <seinfo value="cfg_app" /> >> </package> >> >> - File seapp_contexts >> user=system seinfo=cfg_app name=cip.cfg domain=system_app >>type=app_data_file >> >> This is for KitKat 4.4 code base. The app needs to be system_app for >> other interaction but its data does not need to be protected. > >You need to specify whether you are using one of our branches (and if >so, which one, e.g. seandroid-4.4.4) or vanilla AOSP (and if so, which >release tag or branch, e.g. android-4.4.4_r2.0.1 or >kitkat-mr2.2-release). Vanilla android-4.4.x_rN does not include the >code changes necessary to automatically relabel the app's /data/data >directory on upgrades but should label it correctly on first creation >regardless, whereas our seandroid-4.4.x branches include a backport of >the support that went into Android 5.0 Lollipop. Are you seeing the >problem on an upgrade with an already existing /data/data/cip.cfg >directory or on first creation? > >With regard to your configuration, you can either select on package name >in mac_permissions.xml and map to a unique seinfo or you can select on >package name in seapp_contexts; you shouldn't need to do both. For >example, you ought to be able to achieve the desired effect in this case >just via a change to seapp_contexts since the app is already platform >signed and would get the platform seinfo; you can just add this line to >seapp_contexts: >user=system seinfo=platform name=cip.cfg domain=system_app >type=app_data_file >and not need to change mac_permissions.xml at all. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
